Here are the outlines that I think would be helpful: Chapter 7 lOrganizational governance----a process by which organizations select objectives, establish processes to achieve objectives, and monitor performance. lObjective setting includes defining mission, vision, purpose, and strategies to establish relationships lMission----ex: to be the leading producer of household products in the regions lStrategic objectives----ex: to be in the top quartile of product sales for retailers lStrategy-- expand production of our top 5 selling retail products to meet increased need lRelated objectives----ex: hire x-amount of new staff; maintain product quality. lEnterprise risk management proves to be an effective process for OG lERM----a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may effect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objective. lERM’s four categories: ØStrategic: high-level goals aligned with and supporting its mission ØOperations: effective and efficient use of its resources ØReporting: reliability of reporting ØCompliance: compliance with applicable laws and regulations lERM’s 8 components-----internal environment, objective setting, event identification, risk assessment, risk response, control activities, information and communications, and monitoring. lUnder event identification: risk-----events that would have a negative impact on objectives; while opportunities---vice versa. lBusiness process management---often facilitates the implementation and assessment of a system of internal controls. lWith BPM, manual processes are automated lInternal control----a process effected by an entity’ board of directors, management, and other personnel—designed to provide reasonable assurance regarding the achievement of objectives. lInternal controls have 3 categorizes: effectiveness and efficiency of operations; reliability of financial reporting, and compliance with applicable laws and regulations lInternal control’s 5 components: control environment---a tone of this organization, risk assessment, control activities, information and communication, and monitoring. lProcess-----a series of actions or operations leading to a particular and usually desirable result. lResults---could be risk management or effective internal control or a specified output of an operations process for a particular market or customer lInternal control might also be treated as a system lNo matter how sound the control processes may be, they will fail unless the personnel who apply them are competent and honest. lComputer fraud, computer abuse and computer crime lComputer crime includes crime in which the computer is the target of the crim or the mean used to commit the crime
ØComputer is used as tool of the criminal to accomplish the illegal act ØComputer or the information stored in it is the target of the criminal. Computer viruses fall into this category.---computer virus is program code that can attach itself to other programs, thereby infecting those programs and macros. Viruses can reproduce themselves in a manner analogous to biological viruses. ØControl matrix---a tool designed to assist you in evaluating the potential effectiveness of controls in a business process by matching control goals with relevant control plans. ØControl goals of operations processes--- Øensure effectiveness of operations, strive to ensure that a given operational process is fulfilling the purpose for which it was intended Øensure efficient employment of resources can be evaluated in only relative sense Øensure security of resources ØControls goals of information processes----machine-readable form for capturing data ØEnsure input validity----avoid fictitious cash receipts ØEnsure input completeness---all that are included ØEnsure input accuracy---all that are input are accurate. Ø2 types of updates that can be made to master data: information processing and data maintenance ØUpdate completeness---all events entered into a system must be reflected in the respective master data--- A/R master file. ØUpdate accuracy---data entered into a system must be reflected correctly in the respective master data---A/R master file. lProgramming error when updating---add cash receipt on accounts payable master file lOperational error when updating---fail to execute some intermediate steps in process lOnline real-time processing system makes the input and update occur nearly simultaneously, which will minimize the possibility that the update will be incomplete or inaccurate lControl plans—reflect information-processing policies and procedures that assist in accomplishing control goals ØControl environment----top level, comprised of a multitude of factors---overall policies and procedures that demonstrate an organization’s commitment to the importance of control with the overall protection: enhances the effectiveness of the pervasive and application control plans ØPervasive control plans----second level of protections---pervade equally in all the aspects in a business. THESE CONTROLS, ALONG WITH A MAJOR SUBSET OF THESE CONTROLS, general controls (IT general controls, also known as general controls)-----relate to a multitude of goals and processes. ØBusiness process control plans---third level ---these controls, along with a major subset of these controls, application controls.----relate to specific AIS process or to the technology used to implement the process---often applied to billing or cash receipts---has a sub called application controls lAnother way to classify controls: preventive, detective and corrective lRules: implement preventive plans coz in the long run, it is cheaper and less disruptive to operations to prevent. Combination of these three would be recommended.
Chapter 7
l Organizational governance----a process by which organizations select objectives, establish processes to achieve objectives, and monitor performance.
l Objective setting includes defining mission, vision, purpose, and strategies to establish relationships
l Mission----ex: to be the leading producer of household products in the regions
l Strategic objectives----ex: to be in the top quartile of product sales for retailers
l Strategy-- expand production of our top 5 selling retail products to meet increased need
l Related objectives----ex: hire x-amount of new staff; maintain product quality.
l Enterprise risk management proves to be an effective process for OG
l ERM----a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may effect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objective.
l ERM’s four categories:
Ø Strategic: high-level goals aligned with and supporting its mission
Ø Operations: effective and efficient use of its resources
Ø Reporting: reliability of reporting
Ø Compliance: compliance with applicable laws and regulations
l ERM’s 8 components-----internal environment, objective setting, event identification, risk assessment, risk response, control activities, information and communications, and monitoring.
l Under event identification: risk-----events that would have a negative impact on objectives; while opportunities---vice versa.
l Business process management---often facilitates the implementation and assessment of a system of internal controls.
l With BPM, manual processes are automated
l Internal control----a process effected by an entity’ board of directors, management, and other personnel—designed to provide reasonable assurance regarding the achievement of objectives.
l Internal controls have 3 categorizes: effectiveness and efficiency of operations; reliability of financial reporting, and compliance with applicable laws and regulations
l Internal control’s 5 components: control environment---a tone of this organization, risk assessment, control activities, information and communication, and monitoring.
l Process-----a series of actions or operations leading to a particular and usually desirable result.
l Results---could be risk management or effective internal control or a specified output of an operations process for a particular market or customer
l Internal control might also be treated as a system
l No matter how sound the control processes may be, they will fail unless the personnel who apply them are competent and honest.
l Computer fraud, computer abuse and computer crime
l Computer crime includes crime in which the computer is the target of the crim or the mean used to commit the crime
Ø Computer is used as tool of the criminal to accomplish the illegal act
Ø Computer or the information stored in it is the target of the criminal. Computer viruses fall into this category.---computer virus is program code that can attach itself to other programs, thereby infecting those programs and macros. Viruses can reproduce themselves in a manner analogous to biological viruses.
Ø Control matrix---a tool designed to assist you in evaluating the potential effectiveness of controls in a business process by matching control goals with relevant control plans.
Ø Control goals of operations processes---
Ø ensure effectiveness of operations, strive to ensure that a given operational process is fulfilling the purpose for which it was intended
Ø ensure efficient employment of resources can be evaluated in only relative sense
Ø ensure security of resources
Ø Controls goals of information processes----machine-readable form for capturing data
Ø Ensure input validity----avoid fictitious cash receipts
Ø Ensure input completeness---all that are included
Ø Ensure input accuracy---all that are input are accurate.
Ø 2 types of updates that can be made to master data: information processing and data maintenance
Ø Update completeness---all events entered into a system must be reflected in the respective master data--- A/R master file.
Ø Update accuracy---data entered into a system must be reflected correctly in the respective master data---A/R master file.
l Programming error when updating---add cash receipt on accounts payable master file
l Operational error when updating---fail to execute some intermediate steps in process
l Online real-time processing system makes the input and update occur nearly simultaneously, which will minimize the possibility that the update will be incomplete or inaccurate
l Control plans—reflect information-processing policies and procedures that assist in accomplishing control goals
Ø Control environment----top level, comprised of a multitude of factors---overall policies and procedures that demonstrate an organization’s commitment to the importance of control with the overall protection: enhances the effectiveness of the pervasive and application control plans
Ø Pervasive control plans----second level of protections---pervade equally in all the aspects in a business. THESE CONTROLS, ALONG WITH A MAJOR SUBSET OF THESE CONTROLS, general controls (IT general controls, also known as general controls)-----relate to a multitude of goals and processes.
Ø Business process control plans---third level ---these controls, along with a major subset of these controls, application controls.----relate to specific AIS process or to the technology used to implement the process---often applied to billing or cash receipts---has a sub called application controls
l Another way to classify controls: preventive, detective and corrective
l Rules: implement preventive plans coz in the long run, it is cheaper and less disruptive to operations to prevent. Combination of these three would be recommended.